Botnet mastermind gets four years in slammer for fraud

The first person to be charged under federal wiretap statutes for using a botnet to steal data and commit fraud was sentenced to four years in prison this week.

John Schiefer, a 27-year-old Los Angeles resident, was also ordered to pay $2,500 in fines.

The sentence was handed down Wednesday by U.S. District Judge Howard Matz in federal court in Los Angeles.

Schiefer, a former security researcher, agreed to plead guilty in November 2007 to stealing usernames, passwords and financial data from more than 250,000 compromised systems, then installing adware on the massive botnet that he and several accomplices set up.

The guilty plea was formally entered and accepted last April, and sentencing was originally scheduled for last August but was extended several times because of motions filed by Schiefer.

He faced a maximum of 60 years in prison and fines of $1.75 million after admitting to four felony counts involving illegal access to computers, illegal interception of data and wire fraud.

Schiefer, who used the online handle “acidstorm” as well as both “acid” and “storm,” worked until early 2006 as a security consultant at a Los Angeles-based network services provider named 3G Communications Corp.

According to court documents, Schiefer used both home and work computers as part of the data theft scheme, in which he and his accomplices compromised systems.  

They planted malware that added the machines to their botnet and enabled the cybercrooks to intercept and capture communications between the systems and various Web sites.

Modus operandi

Schiefer and his co-schemers most likely infected PCs with Trojan horses, although the court papers didn’t specify the malicious code.  They managed to add the compromised systems to a botnet and then stole usernames and passwords stored by Microsoft Corp.’s Internet Explorer browser.

IE, like other browsers, will save that information to speed future log-ons. Schiefer mined the data retrieved from the botnet to access multiple PayPal accounts as well as other financial accounts and then plundered them.

Some of the looted PayPal funds were used to pay for more Web hosting space and bandwidth to continue spreading the malware and adding to the botnet, prosecutors said.

Totally there were a quarter-million machines in the botnet.

The ad-generating software was provided by TopConverting, which at the time was an adware affiliate of a Dutch marketing company, Simpel Internet.

TopConverting, also known as Crazywinnings, is now defunct, but as recently as the summer of 2006 it was well known to anti-adware experts, who said it was often installed by unauthorized drive-by downloads.

The gang collected approximately 14 cents per adware installation, or nearly $20,000, from Simpel, and repeatedly told the Dutch company that the installs were legitimate, according to the government’s charges.

Schiefer rode herd not only on the botnet, but also on his accomplices, court documents showed.

The data thieves also used malware to steal user credentials directly from the Protected Storage, or PStore, subsystem offered in older versions of Windows.

According to law enforcement officials, the malware would capture supposedly secure information from PStore and send it to servers controlled by Schiefer and his accomplices.

Schiefer admitted to illegally installing adware programs on nearly 150,000 of the compromised systems without the consent of their owners.

When Schiefer agreed to plead guilty to the charges against him, he also said he would pay nearly $20,000 in restitution to the Dutch company and to financial institutions that he had defrauded, according to court documents.

Several others, named only by their online monikers, were listed as accomplices.

According to Assistant U.S. Attorney Mark Krause, Schiefer, also known as “Acidstorm” and “Acid,” was the first to be charged under federal wiretap statutes for using a botnet.

In June 2005, he chewed out a co-conspirator with the online nickname of “Butthead” because the malware wasn’t infecting enough PCs for his liking.

The underperforming malware, said Schiefer, was “sketching [him] out.”

He also told Butthead to keep the number of malware-infected machines at a consistent number to avoid detection, saying, “Make sur ur running that dl on ur chans so we can keep the stats stable.”

Schiefer blasted another accomplice, dubbed “Adam,” for worrying about stealing money from the compromised PayPal accounts.

Schiefer reminded Adam that he was a minor and then told him he should just “quit being a bitch and claim it.”

Schiefer was employed by 3G Communications Corp. of Los Angeles as a security consultant until early 2006. He used both work and home computers to oversee the botnet.

Source: Computerworld.com

Share on LinkedIn Share with Google+